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Security Direction Report 


Overview 


This purpose of this report is to provide advice and direction toward reducing the 
attack surface and improving the security in accordance to the Open Source 
Security Testing Methodology Manual v3 (OSSTMM). The tests were made using 
standard security and networking tools. Vulnerability tests were made using 
Netsense Gravity (https://gravity.netsense.ch) and exploit research from Picus 
(https://www.picussecurity.com). Initial scope began with the following 
information: 

IPv4 Addresses: 




Security Overview 

The test findings showed the CSL network to be in 



.The 


rav is a measurement of the balance between operations, vulnerabilities, and 
controls. It is used to measure your security posture where lOOrav is perfect 
balance. 


Score: 


Actual Security: 



Attack Surface: 
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For usability, that score is translated into a percentage for the attack surface, the 
area left uncontrolled or vulnerable, which is the difference between lOOrav and 
the rav score. An attack surface greater than 10% is considered problematic as it 
is “reactive security” and will require heavy resources to maintain security. An 
attack surface greater than 20% is considered difficult and likely to be already 
breached. 


Security Assessment 


The CSL network appears 
complicated at first look 
however it’s a ■ 


m| This shows an 
inherent vulnerability in the 
infrastructure that^^^B 
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Illustration 1: Old, unmaintainable systems must be run in quarantine. 


This also assures Single Points of Failure 
where a Denial of Service Attack on any of a majority of the systems will lead to 
all systems being unusable. The first step to security is 
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Illustration 2: Third-party vendor-controlled 
systems must be separated from CSL systems. 


2 www.cryptomove.com Follow us @cryptomove | Highly Proprietary & Confidential, CryptoMove Inc. 

























tryptoflov? 



Illustration server certificates and 

cryptography protocols. 
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Illustration 4: Security device administration is exposed. 



3 www.cryptomove.com | Follow us (< 
























^ t)ryptoflove 



Remediation 

As a company which provides a cryptographically secure and resilient means for 
protecting your critical network data, keys, and assets, we have identified many 
places where CryptoMove can integrate its products within the CSL network 
which would greatly improve security, integrity, and privacy. However, this alone 
will not protect availability of the data if CSL does not address critical concerns. 

It is our recommendation that remediation start as the following in this order: 

1. Lock down critical assets with CryptoMove. 

At this point you’ve closed off vulnerable servers and services however without a 
forensic investigation, you can’t know if you’ve already been compromised. 
Therefore it’s important to lock down critical assets, keys, and personal data as 
quickly as possible. This is actually the fastest way for you do that without a large 
team of IT personnel cleaning or reinstalling all your systems. 

2. Segment the network to separate systems, 

putting Vendor and 3 rd party systems together, quarantining older operating 
systems which can’t be maintained into smaller sandboxes that are not directly 
connected to the Internet or other systems, and critical and administration 
systems from the rest. Separate authentication credentials by changing current 
and default login accounts and resetting all user passwords in case of 
compromise. 

3. Separate administrative access to machines 

through a bastion host so no direct access for login is available over the Internet. 
This provides a form of 2-factor authentication which makes the system 
substantially more secure. 
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4. Harden the systems to least privilege, 

remove defaults in passwords and users, close unused services, remove remote 
development services, and update operational controls like cryptographic 
methods and certificates. Remove unneeded applications and server-side 
technologies from web servers. 

5. Get a monitoring system in place, 

preferably one with automation and intrusion response. This can be a SIEM or an 
IDS/IPS. The most important rules you’ll require initially are controlling how much 
data can move from one system over a given time period, how many attempts 
one can make to any login, and non-repudiation over what systems and users 
are accessing at any given time. 

6. Address your information leaks, 

especially the DNS inconsistencies. Visibility research lead to the following 
systems which make up the engagement zone, considered “opportunity” in the 
attack surface and the interactive parts of the scope. Therefore review these 
domains and addresses with your records to assure that your information is 
correct as this is how your configurations reveal your environment to the Internet: 


No IP associated with 


ftp.sanleandro.org 
ts.sanleandro.org 

smtp-02-b.ci.san-leandro.ca.us 
nsl.sanleandro.org 

ns2.ci.san-leandro.ca.us, ns3.ci.san-leandro.ca.us, 
3.sanleandro.org 

weblink.sanleandro.org 
mpxl.ci.san-leandro.ca.us 
legacy.sanleandro.org 
archive.sanleandro.org 
proxy.sanleandro.org 
ch-webext.sanleandro.org 
ise.sanleandro.org 
ch-adfsi.sanleandro.org 
pd-adfsi.sanleandro.org 

pays1library.sanleandro.org 
access.sanleandro.org 

ch-sbcl.sanleandro.org 
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ch-sbc2.sanleandro.org 


Exceptions 

The following system is hosted yet vital to the scope therefore it was tested 
carefully without the use of exploits: 


sanleandro.org, www.sanleandro.org, 
www.sanleandropubliclibrary.com, 
www.sanleandropubliclibrary.org, www.sanleandrolibrary.com, 
www.sanleandrolibrary.org 


Extended Scope 

The following systems were not within the engagement zone because they 
resided with third parties therefore they were not tested however your 
infrastructure is tied to these systems. 


san-leandro . ca . us , www.san-leandro.ca.us, 

sanleandro.onmicrosoft.com, autodiscover.outlook.com, 
autodiscover.sanleandro.org, login.microsoftonline.com 



sip.sanleandro.org 

sanleandrolibrary.org, rs-webhost-03.pixelpushers.com 

energytracker.sanleandro.org 

h*.ds3atm-ch.ci.san-leandro.ca.us 


7. Address your system vulnerabilities. 

The weaknesses and vulnerabilities in your systems are^^^^^^^^H 
mi However most can be fixed by simply fully updating your systems to current 
versions. However, the previous steps you’ve taken towards securing your 
network have already addressed many of the dangers that these vulnerabilities 
could have caused. Here is a list of the systems with most critical vulnerabilities: 



According to its self-reported version number, the installation of Microsoft Internet 
Information Services (IIS) 6.0 on the remote host is no longer supported. Lack of 
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support implies that no new security patches for the product will be released by 
the vendor. As a result, it is likely to contain security vulnerabilities. 


The remote DNS server answers to any request. It is possible to query the name 
servers (NS) of the root zone ('.') and get an answer that is bigger than the 
original request. 


This may allow a remote attacker to determine which 
domains have recently been resolved via this name server, and therefore which 
hosts have been recently visited. 

For instance, if an attacker was interested in whether your company utilizes the 
online services of a particular financial institution, 

Of course, the attack can also be used to find B2B partners, web¬ 
surfing patterns, external mail servers, and more. 


The remote host supports and therefore may be affected by a vulnerability 

that allows a cross-protocol Bleichenbacher padding oracle attack known as 
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption). This 
vulnerability exists due to a 

and it allows captured TLS traffic to be decrypted. A man-in-the- 
middle attacker can exploit this to decrypt the TLS connection ■■■■ 


It is possible to query the remote name server for third-party names. 

it allows anyone to use it to resolve third 


party names. This allows attackers to perform cache poisoning attacks against 
this nameserver. If the host allows these recursive queries via UDP,HHH 




Make sure that browsable directories do not leak confidential informative or give 
access to sensitive resources. Additionally, use access restrictions or disable 
directory indexing for any that do. The following directories are browsable: 
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Summary 

The following matrix represents your current attack surface to help you see 
missing or unsatisfactory controls for various types of attacks. Since a matrix 
requires white box testing with full cooperation from staff, this matrix is limited by 
the test vector and therefore likely incomplete. Regardless, this matrix represents 
protections covering all possible types of attacks. Full coverage of all controls 
means you are fully protected against any kind of attack. A red X shows there is 
no control of this type for your infrastructure. 


Control 

Interactive Points 

PHYSICAL 

NETWORK 

SERVER 

APPLICATIONS 

Authentication 

■ 

l 

W^ m 


Indemnification 

■ 

l 

1 

l 

Resilience 

■ 

1 

1 

l 

Subjugation 

■ 


1 

l 

Continuity 

■ 

s 


1 

Non-Repudiation 

■ 

i 

1 

l 

Confidentiality 

■ 

i 

■ 


Privacy 

■ 

i 

1 

l 

Integrity 

■ 


■ 


Alarm 

■ 

i 

1 

1 


As you can see, the CSL infrastructure needs much more work beyond these 
recommendations. Based on your processes, it is highly recommended you build 
a more resilient security posture that requires much less maintenance than you 
have now. That will let you focus on improving technology without getting mired 
in putting out fires all the time like malware, breaches, and stolen user accounts. 
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